8 million leaked passwords connected to LinkedIn, dating website

An unknown hacker posted the lists online and asked for help in cracking them.

An unknown hacker has posted more than 8 million cryptographic hashes to the Internet that appear to belong to users of LinkedIn and a separate, popular dating website.

The massive dumps over the past three days came in postings to user forums dedicated to password cracking at insidepro.com. The bigger of the two lists contains almost 6.46 million passwords that have been converted into hashes using the SHA-1 cryptographic function. They use no cryptographic "salt," making the job of cracking them considerably faster. Rick Redman, a security consultant who specializes in password cracking, said the list almost certainly belongs to LinkedIn because he found a password in it that was unique to the professional social networking site. Robert Graham, CEO of Errata Security said much the same thing, as did researchers from Sophos. Several Twitter users reported similar findings.

"My [LinkedIn] password was in it and mine was 20 plus characters and was random," Redman, who works for consultancy Kore Logic Security, told Ars. With LinkedIn counting more than 160 million registered users, the list is probably a small subset, most likely because the person who obtained it cracked the weakest ones and posted only those he needed help with.

"It's pretty obvious that whoever the bad guy was cracked the easy ones and then posted these, saying, 'These are the ones I can't crack,'" Redman said. He estimates that he has cracked about 55 percent of the hashes over the past 24 hours. "I think the person has more. It's just that these are the ones they couldn't seem to get."

Update 2:01 pm PDT: In a blog post posted after this article was published, a LinkedIn official confirmed that "some of the passwords that were compromised correspond to LinkedIn accounts" and said an investigation is continuing. The company has begun notifying users known to be affected and has also implemented enhanced security measures that include hashing and salting current password databases.

The smaller of the two lists contains about 1.5 million unsalted MD5 hashes. Based on the plaintext passwords that have been cracked so far, they appear to belong to users of a popular dating website, possibly eHarmony. A statistically significant percentage of users regularly pick passcodes that identify the site hosting their account. At least 420 of the passwords in the smaller list contain the strings "eharmony" or "harmony."

The lists of hashes that Ars has seen don't include the corresponding login names, making it impossible for people to use them to gain unauthorized access to a particular user's account. But it's safe to assume that information is available to the hackers who obtained the list, and it wouldn't be a surprise if it was also available in underground forums. Ars readers should change their passwords for those two sites immediately. If they used the same password on a separate site, it should be changed there, too.

eHarmony officials didn't immediately respond to a request for comment.

The InsidePro postings provide a glimpse into the sport of collective password cracking, a forum where people gather to pool their expertise and sometimes vast amounts of computing resources.

"Please help to uncrack [these] hashes," someone with the username dwdm wrote in a June 3 post that contained the 1.5 million hashes. "All passwords are UPPERCASE."

Less than two and a half hours later, someone with the username zyx4cba posted a list that included almost 1.2 million of them, or more than 76 percent of the overall list. Two minutes later, the user LorDHash independently cracked more than 1.22 million of them and reported that about 1.2 million of the passwords were unique. As of Tuesday, following the contributions of several other users, just 98,013 uncracked hashes remained.

While forum members were busy cracking that list, dwdm on Tuesday morning posted the much larger list that Redman and others believe belongs to LinkedIn users. "Guys, need you[r] help again," dwdm wrote. Collective cracking on that list was continuing at the time of this writing Wednesday morning.

By identifying the patterns of passwords in the larger list, Redman said it's clear they were chosen by people who are accustomed to following policies enforced in larger businesses. That is, many of the passwords contained a mix of capital and lower case letters and numbers. That's another reason he suspected early on that the passwords originated on LinkedIn.

"These are business people, so a lot of them are doing it like they would in the business world," he explained. "They didn't have to use uppercase, but they are. A lot of the patterns we're seeing are the more complicated ones. I cracked a 15-character one that was just the top row of the keyboard."

Story updated to add link to Errata Security blog post, and to correct the percentage of passwords Redman has cracked.

Promoted Comments

As the article makes clear, the 6.5 million hashes are likely just those the hackers couldn't crack. What that means is: It means nothing that you don't find your password in the list. Out of an abundance of caution, readers should presume the entire list has been obtained and change their password no matter what.

"These are business people, so a lot of them are doing it like they would in the business world," he explained. "They didn't have to use uppercase but they are. A lot of the patterns we're seeing are the more complicated ones. I cracked a 15-character one that was just the top row of the keyboard."

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

When I was working as a civilian contractor in Iraq and Afghanistan, I was appalled at watching no less than four "admins" I worked with used the exact same "pattern password" to secure their admin-level accounts on government networks.

Don't use pattern passwords, or passwords that someone could easily guess. You're only setting yourself and others up for failure if you do.

I never really got into hacking or cracking myself, but reading stuff like this fascinates me. I've read other articles indicating that passphrases are a better option, random word combinations like "unicornmudjumpsoda" in mixed or even same case, can be just as tough to crack by machines but easier for humans to remember. It seems like that would result in fewer passwords being left laying around, but it also seems like it would be more susceptible to dictionary attacks. Thoughts?

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.

The important point is to not reuse passwords and/or usernames from one site to another.

"These are business people, so a lot of them are doing it like they would in the business world," he explained. "They didn't have to use uppercase but they are. A lot of the patterns we're seeing are the more complicated ones. I cracked a 15-character one that was just the top row of the keyboard."

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

When I was working as a civilian contractor in Iraq and Afghanistan, I was appalled at watching no less than four "admins" I worked with used the exact same "pattern password" to secure their admin-level accounts on classified government networks.

Don't use pattern passwords, or passwords that someone could easily guess. You're only setting yourself and others up for failure if you do.

I counted, I have over 50 separate places where I have username/password combos.

Each one should theoretically need a separate, hard to guess, hard to remember, long password.

These are systems which need to be used by human beings, the fact that they are not easily useable by human beings is the fault of the systems and designers, not of the people using them. People don't work like this. They never have, and they never will. Continuing to blame people for not working like computers is silly.

And yes, I'm aware of password "vault" programs, all that does is move all your eggs to one single basket.

We need a completely new approach to this. Endless hard to guess passwords isn't it. We need to think about how human beings actually work, what we're good at and what we're not, and design around that.

While the article is interesting, it is missing the most crucial point for readers:1) Something the average user should be concerned about (i.e. can these be used to access said accounts?)2) Is there a way to check to see if one's information is on there?3) What should the average user be doing to react personally to maintain information security.

.*Edit below line*Since I can't read, the information is actually in the article (thanks to comments who pointed it out). And promoted comment makes it clear too.

"These are business people, so a lot of them are doing it like they would in the business world," he explained. "They didn't have to use uppercase but they are. A lot of the patterns we're seeing are the more complicated ones. I cracked a 15-character one that was just the top row of the keyboard."

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

When I was working as a civilian contractor in Iraq and Afghanistan, I was appalled at watching no less than four "admins" I worked with used the exact same "pattern password" to secure their admin-level accounts on government networks.

Don't use pattern passwords, or passwords that someone could easily guess. You're only setting yourself and others up for failure if you do.

Interesting. I haven't heard of simple password patterns used in dictionary type attacks before. I've employed password patterns in the past, though not with patterns as simple as you listed. Is the concern over easy-to-guess patterns? Or is it just inherent that pattern-based passwords are more insecure than say XKCD's correcthorsebatterystaple?

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.

The important point is to not reuse passwords and/or usernames from one site to another.

They only have the hashes of the passwords. They still have to crack them (with modified dictionary attacks, or brute force) to get your plaintext password.

While the article is interesting, it is missing the most crucial point for readers:is this:1) Something the average user should be concerned about (i.e. can these be used to access said accounts?)2) Is there a way to check to see if one's information is on there?3) What should the average user be doing to react personally to maintain information security.

.

If you are on LinkedIn or eHarmony and used the same username/password on any other sites, then you should be concerned. Change your password to something different than any other site.

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.

The important point is to not reuse passwords and/or usernames from one site to another.

They only have the hashes of the passwords. They still have to crack them (with modified dictionary attacks, or brute force) to get your plaintext password.

With no salt, rainbow tables are going find the weaker ones in no time.

The important point is to not reuse passwords and/or usernames from one site to another.

They only have the hashes of the passwords. They still have to crack them (with modified dictionary attacks, or brute force) to get your plaintext password.

Like they did for the guy with "20 plus characters and was random"? Once they have the hash table it's much easier to find out that one specific password to that site. If you didn't reuse that specific one any place else it doesn't matter. Your account on that site is probably already boned anyway.

While the article is interesting, it is missing the most crucial point for readers:is this:1) Something the average user should be concerned about (i.e. can these be used to access said accounts?)2) Is there a way to check to see if one's information is on there?3) What should the average user be doing to react personally to maintain information security.

.

If you are on LinkedIn or eHarmony and used the same username/password on any other sites, then you should be concerned. Change your password to something different than any other site.

I already changed my linkedin for security, but what I wasn't sure is if this list includes emails (i.e. is it actionable, or is it just the passwords). And what you said should be in the article

While the article is interesting, it is missing the most crucial point for readers:1) Something the average user should be concerned about (i.e. can these be used to access said accounts?)2) Is there a way to check to see if one's information is on there?3) What should the average user be doing to react personally to maintain information security.

.

1. Most likely the hacker has the usernames(its in the article)2. I would assume so(since Redman did)3. Change your password to linkedin and any other places that use the same password(hopefully the number is 0, but its probably not if your asking hese questions. disclaimer, i use the same password in a bunch of places, i need to set up a password vault.)

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.

The important point is to not reuse passwords and/or usernames from one site to another.

And yes, I'm aware of password "vault" programs, all that does is move all your eggs to one single basket.

Yes, a basket you control (open source if you use KeePass, that can be locked to a password and a cryptographic key) that won't be compromised when some incompetent developer stores passwords in an insecure way (no salt? ) on their website. No, a password locker probably won't help you if someone is making an effort to target you specifically, to the point of gaining virtual or physical access to your machines, but that's not the kind of thing they are meant to stop.

All security measures have flaws, and you can only gain a reasonable level of security by using multiple layers of flawed systems, and making your accounts not worth the trouble of hackers and criminals that are going for volume.

From the hacker news comments, a script that can tell you whether your password is in the dump and whether or not it was already cracked (the cracked passwords are marked in the file with leading zeros)

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.

The important point is to not reuse passwords and/or usernames from one site to another.

No, they do not. They have unsalted hashes, which must then be cracked (a salted hash is more difficult).

To help crack the unsalted hashes, they'll try using common patterns and strings (like l33tsp34k in the company name, say, "3h4rm0ny" or "eharm0ny" to help the process along.

If you choose a password that has a guessable pattern like those above, you are only fucking yourself in the ass when it comes to events like this.

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.

The important point is to not reuse passwords and/or usernames from one site to another.

From the hacker news comments, a script that can tell you whether your password is in the dump and whether or not it was already cracked (the cracked passwords are marked in the file with leading zeros)

sep332: that does not have usernames just things that sort of appear to be hashes.

Right, these are the SHA-1 hashes that are supposedly from LinkedIn. If your password has been cracked already it is marked with 000000. Example: 'linkedin':

7728240c80b6bfd450849405e8500d6d207783b6 is not present 0000040c80b6bfd450849405e8500d6d207783b6 is presentSo calculate the SHA-1 of your password and then search for the last digits to see if it has been cracked.

If any of you are stupid enough to use a formulaic password like "EDCrfvTGByhnUJM" or "!qaz@WSX3edc" you deserve to have your fucking password cracked.

You are getting entirely the wrong lesson from this. "Weak" passwords only matter if somebody is bruteforcing/dictionary attack on random logins. This is not the case here. They managed to crack two sites and obtain and decrypt their entire password lists. So nobody is bruteforcing anything. They ALREADY HAVE YOUR PASSWORD. It doesn't matter how random it is.

The important point is to not reuse passwords and/or usernames from one site to another.

No, they do not. They have unsalted hashes, which must then be cracked (a salted hash is more difficult).

To help crack the unsalted hashes, they'll try using common patterns and strings (like l33tsp34k in the company name, say, "3h4rm0ny" or "eharm0ny" to help the process along.

If you choose a password that has a guessable pattern like those above, you are only fucking yourself in the ass when it comes to events like this.

No. In a leak like this the strength of the password does not matter. Because they're stored as unsalted SHA-1. People can check to see if they're on the list by hashing their password and ctrl+f'ing the list. The only thing stopping someone from doing the same with every possible char combination is time. With a couple GPU's and a well crafted script, little time.

From the hacker news comments, a script that can tell you whether your password is in the dump and whether or not it was already cracked (the cracked passwords are marked in the file with leading zeros)

From the hacker news comments, a script that can tell you whether your password is in the dump and whether or not it was already cracked (the cracked passwords are marked in the file with leading zeros)

My fairly complicated password was in the list and had already been cracked :S

wait, so a hacker news comment tells you to type your password into this to tell you whether or not your password is in the list?

so your giving them a list of passwords that might not be cracked?

This is a very short python script. You download it to your machine and run it locally against the text file. It's trivially easy to verify that the script is non-malicious -- it just hashes your password then loops through the dump file to see if your hashed password is present.

From the hacker news comments, a script that can tell you whether your password is in the dump and whether or not it was already cracked (the cracked passwords are marked in the file with leading zeros)

It doesn't matter how clever of a password you dream up if the "host" isn't secure. Your only security is to not use the same password for multiple accounts.

I'd also like to point out to the tea bagger crowd that the vast majority of these security breaches occur in the private sector.

That is patently untrue, although it depends on what your interpretation of "insecure" is. If the host is hacked then salts can add some layer of protection, but will probably not protect much against short passwords (because LinkedIn needs to do verification in a limited time). However, if you link the hash generation to some physical element (e.g. a smartcard) then the attacker will need to do the bruteforcing while in contact with the host. This will significantly slow down the password cracking, and once the breach has been detected no further bruteforcing should be possible. However, the disadvantage to implementing such a solution is portability of the hashes.

I counted, I have over 50 separate places where I have username/password combos.

Really? That few? I have 40 for Work alone. I have about 100 more for general 'Net sites, and then there's banking ones, job search related ones, passwords for other family members (like my kids' logins to Animal Jam and Poptropica)...

Quote:

And yes, I'm aware of password "vault" programs, all that does is move all your eggs to one single basket.

Yes. But the point is that it's a SINGLE basket with an arbitrarily difficult password (I know both mine and my wife's are exceptionally difficult) that YOU control. As long as you use a local password store then it's not in some random database on a remote system which can get hacked and stolen. They would have to target YOU specifically, most likely a device in YOUR control. If someone wants to do that, then you're most likely screwed anyway, but I think it's safe to say that most people are in no more danger of that than being struck by lightning. Repeatedly. Yes, it happens. It's not a real concern though.

And so what do you gain by this? That when some random site gets its passwords stolen AGAIN that you'll have to worry about only that one site. As an example I just changed my LinkedIn password, and I'm not worried about the other 200+ passwords I have because they're all unique. Here, you can even have my old LinkedIn password -- KhDpD0wUJzIAhCDvdfYW . Have fun. Oh, and that's the first time I've ever seen it in clear text, because frankly I don't care what my passwords are. The only one I need to know is my master password.

Quote:

We need a completely new approach to this. Endless hard to guess passwords isn't it. We need to think about how human beings actually work, what we're good at and what we're not, and design around that.

Good luck; have fun. Realize that passwords were originally exactly that -- humans are actually very good at remembering short strings associated with a particular thing. Problem is, short strings are also easily broken by computers. Long strings aren't easily broken, but they're not easily memorized either (phrases can help, but I'm not going to memorize 200+ different multi-word phrases).

The only viable solution I can think of is to go to something like SecureID or Battle.net's mobile authenticator for every site -- but that's not dramatically different from using a password program. And the reality is that nobody's going to agree on a single standard so you'll be carrying a dozen fobs or mobile programs around with you.

Really, use a password vault. Personally, I use KeePass -- it's free, it's open source (for varying definitions of open; but you can at least check that it's not storing things in the clear and it's using the crypto it claims to), and it's available on every platform I use, including my iPhone (that wasn't free, but I don't mind shucking a few bucks to the developer). There are plenty of alternatives out there. It's a lot better than changing a dozen passwords when one of them gets compromised.